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Investigation on 95/08/2001 a Lbouisville, Kentucky (telephonically) 


This document contains neither recommendations nor conclusions of the FBI. It is the property of the FBI and is loaned to your agency; 
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FEDERAL BUREAU OF INVESTIGATION 


Date of transcription 5 / 29 / 2001 


of Network Consulting 
contracted to World View Resources, Inc., 1724 Franklin Street, 
Henderson, 0-5208, telephone number 
cell phone was telephonically interviewed a is 
place of employment. The identity of the interviewing Agent was 
previously established i ema Co a previous investigation. 
Through the telephonic interview and use of e-mail, the following 
information was obtained: ; 


ae Oe during the night of 05/07/2001, the web 
site of Wor View Resources was replaced by a web page reading, 
"fuck USA Government fuck PoizonBox 

contact: sysadmcn@yahoo.com.cn". stated damage was 
minimal and the original web page was retrieved from back-up in 


case of this type of an attack. 


Upon writer’s request,[| e-mailed several pages 
of information to writer. 


Date dictated 05/29/2001 


it and its contents are not to be distributed outside your agency. 
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FEDERAL BUREAU OF INVESTIGATION 


Date of transcription 5 / 29 / 2001 


Social Security Account 
Number telephone number was 
interviewed at his place of employment, Morgan & Pottinger Law 
Firm, 601 West Main St., Louisville, Kentucky 40202, telephone 
number[ si The identi of the interviewing Agent was 
previously established eae oe a previous investigation. 
On 05/22/2001, writer telephonically interviewed[___Jat his 
place of employment. Through the use of e-mail and follow-up 
interview on 05/23/2001, the following information was obtained: 


explained four of Morgan & Pottinger web sites 
had been compromised and defaced within twenty minutes of each 
other the night of 05/09/2001. The web pages had been replaced 
by a web page stating "fuck USA Government fuck PoizonBox 
contact :sysadmcn@yahoo.com.cn". tracked the IP address 
to a Korean address of 210.179.217.2. 


After contacted writer on 05/10/2001, writer 
advised © obtain patches per the NIPC advisory. During 
the interview on 05/23/2001,[ J stated these patches worked 
and that ial & Pottinger di ave some holes that[ was 


unaware of. stated the systems at Morgan & Pottinger 
still get probed approximately two times per day. a 
yf 


estimates the damage to the web pages to be approximate 1500. 
provided the interviewing Agent with several hard copies 
of the logs. 


Investigation on 95/23/2001 abouisville, Kentucky 


Date dictated 05/29/2001 


This document contains neither recommendations nor Conclusions of the FBI. It is the property of the FBI and is loaned to your agency; 
it and its contents are not to be distributed outside your agency. 
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FEDERAL BUREAU OF INVESTIGATION 


Precedence: ROUTINE Date: 06/13/2001 


From: Louisville b7c 
Squad 5 b7E 
Conta¢et: | SA 


Approved By 


Drafted By: 


Title: Hacker/Honker Union of China 
Tllinois Secretary of State 
Intrusion 
04/03/2001 


Synopsis: To report on interviews conducted per lead from 
Chicago. 


Enclosures: Enclosed for Chicago are the following: 


One origi = 2 
Hu rviews of BS 
b7C 


2) logs provided to FBI Louisville from Morgan & 
Pottinger, 


3) log information provided to FBI Louisville from 
World View Resources via e-mail, 


4) log information provided to FBI Louisville from 
Choice Systems, 


5)  NIPC Cyber Incident Report Form submitted by 
Covington Board of Education. 


Details: Per lead sent from Chicago Division concerning 
captioned matter, writer was able to identify three companies who 
reported being targets of the Chinese web page defacement 
attacks. Writer sent a communication to all INFRAGARD members 
and several individuals on a local office alert list requesting 
any and all victims of captioned matter to contact the FBI 
Louisville office immediately. 


b3 
b7E 


To: 1 > Louisville ” 
Re: 06/13/2001 


Two companies responded with positive information and 
were interviewed immediately. The FD-302’s of those interviews 
are included. 


During the course of investigating another lead from 
another field office, a third company was discovered as being a 
victim of the web page attack. This company is Choice Systems. 

A fourth organization, Covington Board of Education, 
responded via the NIPC Cyber Incident report Form found on the 
NIPC web page. This report was forwarded to writer. A voice 
mail message was left for the contact several times, but no 
response was ever realized. Contact information for the 
Covington Board of Education is being forwarded to Chicago with 
this communication. 

In summary, all three companies report very little 
expense and describe the loss as time lost in reconfiguring the 
web pages back to their normal status. 


Louisville considers this lead covered. 


LEAD (s): 
Set Lead 1: (Adm) 
CHICAGO 
AT CHICAGO 


Read and clear. 
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FD-542 (Rev. 11-02-1999) 


Precedence: ROUTINE Date: 05/30/2001 
To: Portland Attn: [ 
From: Portland b3 
Squad 4 b6 
Contact: SA b7c 
b7E 


Approved By: 
Drafted By: 


Case ID #: ending) 

Title: HACKER/HONKER UNION OF CHINA 
CHICAGO SYSTEMS GROUP - VICTIM 
INTRUSION 


Synopsis: To claim stat for identification of compromised sites. 


Details: On May 4, 2001 and May 17, 2001, Portland provided 
Chicago with information related to 15 compromised servers 
identified by Portland during its investigation of Chinese based 
web page defacements. (See serials 4 and 22 respectively in the 
above case) 


b3 
b7E 


To: Portland From: Portland : 
b7E 


Accomplishment Information: 


Number: 15 

Type: NIPCIP COMPROMISED SITE'S IDENTIFIED AND NOTIFIED 

ITU: AGENT INTERVIEW 

ITU: LIAISON WITHIN FBI 

Claimed By; 
SSN: b6 
Name: b7¢C 


Squad: 4 
+4 
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FEDERAL BUREAU OF INVESTIGATION 


Precedence: ROUTINE J, Date: 06/11/2001 
To: Chicago Attn: “Evidence Custodian Technician 
SA 


From: Richmond 
Squad 7, Roanoke RA 
Contact: 


Approved By 
Drafted By: 


Case ID #: Pending) 
Title: UNSUBS; 
HONKERS UNION OF CHINA; 
INFINITY THL-DATA, INC. ; 
ET AL. - VICTIM 
COMPUTER INTRUSION 


Synopsis: Sound Stage, Roanoke, VA, experienced a computer 

» network intrusion traced back to a site(s) in China. No 
significant damage reported. Information provided to CG for 
review and to determine its relevancy with regard to captioned 
investigation. 


Package Copy: One "CD" and printout of a computer log and 
computer file left on the network server_of Sound Stage, 103 8th 
Street, Southeast, Roanoke, Va. 24013,[ sd €or 
transmittal to CG. 


Details: ieee Sound Stage, contacted 
the Roanoke, RA, Richmond Division, to advise that a file 


inserted into their computer system is believed to have 
originated in China. No damage was done to Sound Stage's system, 
and the file was removed and the "holes" were successfully 
patched. advised he was unsure as to when the initial 
intrusion occurred, but the computer logs will show the date upon 
which the file was discovered and extracted/removed. Sound Stage 
is unaware of any previous problems regarding the site in China, 
and has not had any further difficulties since that time. 

advised that no significant monetary damages were caused 
by this event. 


b3 
b6 
b7¢ 
b7E 


b7C 


b3 
b7E 


To: i | b3 @ 
Re: 06/11/2001 b7E 


LEAD (s) : 
Set Lead 1: 
CHICAGO 
AT CHICAGO, IL. 


Review enclosed material for its relevancy and possible 
inclusion into ongoing captioned investigation. 
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FEDERAL BUREAU OF INVESTIGATION 


Precedence: ROUTINE Date: 05/29/2001. 
To: Chicago Attn: sal 
Philadelphia 


Williamsport 
Contact: SA 570-329-5328 


Approved By: 


Drafted By: 


Title: Hacker Honker Union of China; 
Illinois Secretary of State; 
04/03/2001; 

Intrusion 


Synopsis: Three complaints received by Williamsport RA 
(Philadelphia Division) in reference to above captioned case. 


Details: Three complaints have been telephonically received by 
the Williamsport RA in reference to the Honker Union of China 
hacking case. 


Complaint #1 (Reported 05/07/2001) 


800 West Fourth Street, 

r 570-323-1010 ext.[__—'| is the 
for REGSCAN, INC., an 
electronic publishing and Internet web-site developer located in 
Williamsport, PA. The complainant advised that one of REGSCAN's 
computer systems was hacked into through port 80 using a 
vulnerability in the Solaris operating system. The attack 
occurred Saturday, May 5, 2001 from approximately 11:15 a.m. to 
12:15 p.m. . 


The complainant 
1 


Specifically, the sadmind/IIS worm is suspected in the 
attack, based on information provided to REGSCAN by the CERT 
advisory staff at Carnegie Mellon University. The worm takes 
advantage of a two-year old buffer overflow vulnerability in the 
Solstice sadmind program. Once the system is compromised, the 
hacker utilizes a seven-month old vulnerability in the IIS 
system. The complainant advised that the REGSCAN computer system 


b3 
b7E 


Yor Varoyn 2 ee 


b3 
b6 
b7Cc 
b7E 


b3 
b7E 


b6 
b7C 


To: Chicago From Philadelphia ‘ @ 


b7E 
did not have the latest IIS patch installed on the operating 
system. 

After the system was hacked, the attacker modified the 
REGSCAN web-site by placing the message "Fuck the USA Government,’ 
Fuck Poison Box" on the home page. The IIS log files revealed . 
the offender with an IP address of 210.77.147.216. bTE 
b7E 


Based on the context of the disparaging message left on 
the web-site, it is believed that the attack may have been one of 
several attacks occurring in recent days between Chinese and U.S. 
hacker groups, in the aftermath of the collision between an U.S. 
Navy Intelligencé plane and a Chinese fighter jet. "Poizon Box" 
is a known U.S. hacking group, made reference to in a portion of 
the disparaging message. It is believed that the attack most 
likely originated in China. 


No data was lost in the attack, and minimal time was 
spent on repairing the web page and installing the IIS patch. 


Complaint #2 (Reported 05/03/2001) 


The complainant [ __ SEDA-COG, RR1 Box 372, = 
Lewisbur PA, Telephone number 570-524-4491, ext.[ | iga = 


[Jat Susquehanna Economic Development 


Association - Council of Governments (SEDA-COG). SEDA-COG is 
federally funded through various federal grants. The complainant 
advised that an unknown hacker compromised their computer server 
on 05/02/01 at approximately 12:15 P.M. The hacker modified the 
the SEDA-COG web-site home page with derogatory information. 


Specifically, the hacker left the message "Fuck USA 
Government" and "Fuck PoizonBOx" on the web site. The 
complainant advised that SEDA-COG utilizes Microsoft Servers with 
all the current patches installed. 


A review of the appropriate log files revealed IP 
Address 210.230.128.198 logged at 12:08:59 P.M. on 05/02/01. The 
IP address returns to Japan Network Information Center, Fuundo 
Building, 3F, 1-2 Kanda-Ogawamachi, Chiyoda-ku, Tokyo 101-0052, 
Japan, an Internet Service Provider in Japan. 


To: Chicago From” Philadelphia . @ 


b7E 


The complainant estimates the attack caused four staff 
members to work two days to bring the web-site back online. No 
data loss occurred as a result of the hack. 


Based on the information from the complainant, the 
Williamsport Resident Agency believes the attack is one of many 
conducted by various Chinese hackers in retaliation for the © 
collision between a U.S. Navy Surveillance plane and a Chinese 
jet fighter several weeks ago, 


Note: On May 10, 2001, a news brief on AP Wire 
indicated the following: 


"A self-styled alliance of Chinese computer hackers has 
called a halt to attacks on U.S. Web sites, after claiming to 
have broken into more than 1,000 sites. The group that calls 
itself the "Hongke Union" thanked hackers for taking part in the 
campaign against U.S. wen sites, but said it would not be 
connected to any further attacks. Chinese hackers declared a 
weeklong war on U.S. sites, from April 30 to May 7 (2001), after 
a U.S. Navy spy plane collided with a Chinese fighter jet setting 
off a diplomatic standoff. The fighter pilot was killed in the 
April 1 collision. Hackers attacked the White House Web site on 
May 4, leaving it completely blocked or difficult to access for 
about six hours." 


Complaint #3 (Reported 05/18/2001) 


The complainant Lr —eetece) Brodext Company, 500 Arch b6 
Street, Williamsport, PA 17705, telephone number 570-326-2461, b7c 
exe [J ermatl ee is a 


with Brodart Company in Williamsport, 


Brodart had two computer hacking attacks, one on . 
05/04/2001 with a logged IP address of 210.59.251.135, and the 
second on 05/06/2001 with a logged IP address of 137.140.8.104. 
The attackers modified a web page on a "non-live" server which 
read, "Fuck the USA Government, Fuck Poizonbox." 


Brodart runs the Windows 2000 operating system on their 
servers. [____Jadvised that at the time of the attack, service b6 
pack 2 was not installed, which made the servers vulnerable to b7c 
the Sadmind worm attack. 


advised that the 05/06/2001 attack was relayed 
through a Sun Solaris system operated by a State University of 
New York (SUNY) professor in New Paultz, NY. Brodart personnel 


To: Chicago Fr Philadelphia. © a 
Re: 05/29/2001 coe 


bTE 


Se | en number[ at SUNY to 
em oO 


advise th the route-thru attack. 


In all three complaints, the complainants were advised 
to maintain their log files and web page modifications, as 
evidence, should the FBI prosecute any case in this matter. . 


To: Chicago Fr Philadelphia b3 
Re: 05/29/2001 " bT7E 


LEAD (s) : 
Set Lead 1: 
CHICAGO , 
AT CHICAGO 


For information, read and clear. 
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Rane 
FEDERAL BUREAU OF INVESTIGATION 


Date of transcription 05 / 25/2001 


|__| date of pinch Social 
Security Account Number bé 
[—___] telephone number os 
was contacted by Special Agent (SA) Federal Bureau 
of Investigation (FBI), St. Louis Division. After being advised of 
the identity of the interviewing Agent,[ _| provided the 
Following information: 

Dee eel web host development business with 
the financial assistance From[ 
_— : 


BIC 
Two off computer servers were attacked by hackers 
believed to be from China. ey main server_was partially owned 
by_a third party, Lamont Development Group. Ll previdea[ J] 
any as a point of contact Lamont. The Lamont 
Development Group actually purchased the equipment and it was being 


maintained at the Cybercon Company, 210 North Tucker Street, St. 
Louis, Missouri. 


second server, primarily develo and testing 

was solely owned and operated by Electranet i business, 

also known as Electric Man Internet Services. b6 
b7C 

On Sunday, May 5, 2001, at approximately _9:00 A.M., 

discovered that someone had attacked his server. had een 

working on the server on Saturday evening, May 4, 2001, and 

finished_his work about 8:00 P.M. Upon re-entering the server on 

Sunday,[ _|discovered the intrusion. 


One off___—|clients had their web page replaced with a 
Chinese flag, and music(possibly the Chinese national anthem) and a 
message about President Bush being a murderer along with other b6 
remarks. [haa saved all of the web defacement images, but all y7¢ 
of the web site files had been deleted by the hackers. 


ra had written all of the code for the web sites and 
would be able Eo replace web page. However, discovered the 
hackers had erased any activity in the log files of their 


Investigation on Missouri 


b3 


Date dictated 05/15/2001 ea 


bT7E 


File # 


This document contains neither recommendations nor conclusions of the FBI. It is the property of the FBI and is loaned to your agency; 
it and its contents are not to be distributed outside your agency. 
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Continuation of FD-302 of | | ,On 05 / 22 / 2001 , Page 2 


intrusion. [naa unplugged the Internet access to the server 
until he could address the problem. 


had been remotely accessing the second server (used 
for development and testing) on Sunday, May 5, 2001 and on Monday, 
May 6, 2001 until about 1:00 P.M., at which time he stopped to run 
an errand. 


Upon attempting to access the second server again,[ _—i| 
discovered the management console counselor for passwords had been 
deleted. The event logs, service logs, a new directory called 
"Fuck You" and other directories had been recreated by the hackers. 


could not be changed by or other users. In the default 
directory, there were web pages with slanderous remarks. There was 
also an executable file, "sr.exe", which showed that it was 
modified on May 6, 2001 at 2:02 P.M. The hackers had also removed 
the file needed to reboot the system. [was concerned about 
how the hackers had been able to obtain system-level access without 
using passwords. 


The second te been manipulated so that passwords 


All of [_____] fifty-three customer web pages were 
affected by the attack. Some of t omers had contacted 
about their web pages being down. told his customers that he 
was having a security problem and was addressing it. 


[___s|started his business in August of 2000. [__Jusea 


to work for an Internet Service Provider (ISP) that went out of 
business. [___]started his own business and began recruiting back 
some of customers of the failed ISP. 


[| showea sal___]the web page defacement. The 
defacement was mostly black with red lettering and the words 


"Honker Union of China" "Hacked by red freedom" "USA = Nazi" "Bush 
= Murderer" "Beat down imperialism of America". 


[provided a listing of the files which had been 
deleted from a back-up copy which he had. [L_]also provided 
passwords for both of the servers that had been attacked. 


[__Jestimatea that the attack had cost him $16,633.00 
in business and $11,583.00 in lost time to make the necessary 


repairs for a total of $28,216.00 


b3 
b6 
b7C 
b7E 


b6 
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b7C 
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Continuation of FD-302 of | | ,On 05 / 22 i. 2001 , Page 3 


Both servers were taken by sa[___|for a forensic 
examination to be performed by the St. Louis Division. was 
provided a FD-597, Receipt for Property form, from SA for the 
following two servers: 


1) Compaq Proliant ML370 server 


2) IBM Clone web server, Creative Labs, 
containing a DVD ROM drive in the CD Bay 


b3 
b6 
b7C 
b7E 


b6 
b7¢ 
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FD-302 (Rev. 10-6-95) 


FEDERAL BUREAU OF INVESTIGATION 


Date of transcription 06/19/2001 


Po Mary Institute and 
Saint Louis Country Day School (MICDS), was contacted by SA 
Federal Bureau of Investigation, St. Louis Division. 
After being advised the identity of the interviewing agent, 
provided the following information: 


had e-mailed the St. Louis Division with a 
request for assistance with a_web page attack at MICDS. SA[L__] 
had telephonically contacted[ [and scheduled an appointment 
to pickup the computer system logs from the attack. 


On May 7 and May 10, 2001, a public web server at Mary 
Institute and Saint Louis Country Day School(MICDS) was attacked. 
was notified by the Technology Department about the 
defacement on 5/7 and by the Business Department on 5/10. 


The server was running Windows 2000, Service Pack 1 and 
Internet Information Services_(IIS) 5.0. The DNS(Domain Name 
Server) was mail.micds.org. [_Japriied new patches to fix the 
problem after researching the attack on CERT(Computer Emergency 
Response Team) web page. 


The attack shutdown a web page and replaced the text with 
the message, "Fuck USA Government, Fuck PoizonBOx, contact 
sysadmcn@yahoo.com.cn" 


[___Jattempted to send e-mails to the hosts, which 
on the logs, but all attempts at communication bounced. 
deleted_all the files which were modified and redirected 

e WwW 


e€D page. then recreated the web page. 


rar a floppy diskette to sa[___|with the 
log activities 


rom the attack. 


Investigation on 


File # Date dictated 


This document contains neither recommendations nor conclusions of the FBI. It is the property of the FBI and is loaned to your agency; 
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FEDERAL BUREAU OF INVESTIGATION 


Date of transcription 06/19/2001 


| Cellular, Date of Birth telephone number [ 
| [__ ]telephonicall contacted the St. Louis Division and 
Slee WIL GA pcdaied a time aun asea es 


meet an discuss a web page ; 


Psychology Department where 
I~ eceead to meet at the St. Louis Division Office, 2222 Market 


Street, St. Louis, Missouri. 


was contracted to build a database for nationwide 
research by Washi niversity, Psychology Department in 
September 2000. obtained his graduate degree in Computer 
Science from Washington University. 


The database was to be accessible-to other researchers 
* throughout the nation. The web page for the database was defaced 
by unknown attackers who replaced the web page with the text, "Fuck 
USA Government, Fuck PoizonBOx, contactsysadmcn@yahoo.com.cn". 


[ —_laavisea saL___Jthat he would e-mail the system 
logs to SA 


the next time he was physically at the server. 
advised the GET command was utilized on Port 80 to gain 
entry into the database server. 


[had already traced two of the IP (Internet 
| Protocol) addresses back to China and Brazil. The China IP address 
was 210.52.149.171 and the Brazil IP address was 200.199.223.150. 


Investigation on Missouri 


Date dictated 


| This document contains neither recommendations nor conclusions of the FBI. It is the property of the FBI and is loaned to your agency; 
| it and its contents are not to be distributed outside your agency. 
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FEDERAL BUREAU OF INVESTIGATION 


Date of transcription 06/15/2001 


[or science and mata Tutoring, 
located_at_18 Arbor Road, St. Louis, Missouri 63132, telephone 


number was telephonically contacted by Special 
Agent (SA) Federal Bureau of Investigation (FBI), 
St. Louis Division._After being advised of the identity of the 
interviewing Agent, provided the following information 


about a web site attack: 


had submitted an incident report the National 
Infrastructure Protection Center (NIPC) about a web page defacement 
on May 12, 2001. The attack took place approximately May 5, 2001. 


The attack was similar to other web site defacements by 
the Honker Union of China. The attacks take over the web site and 
display a message that states "Fuck USA Government, fuck PoizonBOx, 
contactsysadmcn@yahoo.com.cn". The screen is normally black and 
the letters of the text are red. 


contacted his systems engineer technician, 
of Wareforce, telephone umber 
performed all of the patch updates to help secure the 
system from futur imilar exploits. [si paid $100.00 for 
the services ca 


server was not used for any type of tutoring, 
but rather for advertising of the science and math tutoring 
business. 


[_jopinea that the attack might possibly be the 
Chinese since an IP address from the source of the attack 


originated from China. 


suggested that sa[_Jcontact(_____————_to 


discuss some of the technical questions of the attack. 


06/14/2001 a St. Louis (telephonically) 


Investigation on 


Date dictated 96/13/2001 


This document contains neither recommendations nor conclusions of the FBI. It is the property of the FBI and is loaned to your agency; 
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FEDERAL BUREAU OF INVESTIGATION 


Precedence: ROUTINE Date: 06/11/2001 


To: Counterterrorism Attn: Computer Investigations 
Unit, Room 5965 National 
Infrastructure Protection 
Center (NIPC) 

From: St. Louis 


Approved By: ee 
b7C 
Drafted By: b7E 


Title: Subject: HONKER UNION OF CHINA 


Victim: Math & Science Tutoring 


Type: Computer Intrusion (Web Page Defacement) 
Date: 05/05/2001 


SUBMISSION: X Initial O Supplemental O1 Closed 


CASE OPENED: _ 05/10/2001 


CASE CLOSED: _06/11/2001 (Referred to Chicago Division) 
O No action due to state/local prosecution 

(Name/Number: ) 

1 USA declination 

O Referred to Another Federal Agency 

(Name/Number: ) 

CO Placed in unaddressed work 

x Closed administratively 

O Conviction 


COORDINATION: FBI Field Office St. Louis Division 
Government Agency 
Private Corporation 


VICTIM 


Company name/Government agency:__Math & Science Tutoring 
Address/location: 18 Arbor Road, St. Louis,MO 63132 


Purpose of System: Advertising Tutoring Business 
Highest classification of information: stored in system:___ N/A 


UPLOADED TO ACS/ECE b3 
@) b6 

BY SL, b7C 
bT7E 


b3 


To: Poantprterrors@® From: Washington ricia ® b7E 


Re: Date: 06/12/2001 


System Data: 
Hardware/configuration (CPU); Compaq Proliant 1600 (rack mount 
Operating System: Windows NT 4.0 
Software : 


Security Features: 
Security Software Installed: O1 yes Cdentify ) X no 
Logon Warning Banner: 0) yes K no 


INTRUSION INFORMATION 


Access for intrusion: X Internet connection O1 dial-up number 11 LAN (insider) 
If Internet: Internet address: _dynamic 


Network name: 

Method: 

Technique(s) used in intrusion: ISS/Sadmind Exploit (list 
provided) 
Path of intrusion: 
addresses: 1. _217.0.35.89 2. 3. 
country: 1. 2: 3. 
facility: ie as 3. 
Subject: 

Age: CCi‘C‘CSC*é@R ace’: 

Sex: CCCCWEdhrcttionn:: 

Alias(s)) _ Mo tive: 

Group Affiliation: HONKER UNION OF CHINA. 

Employer: 

Known Accomplices: 

Equipment used: 

Hardware/configuration (CPU): 

Operating System: 

Software: 
Impact: 


Compromise of classified information: HO. yes X no 
Estimated number of computers affected: Z 


Estimated dollar loss to date: | $100 Service Charge 


To: see! From: Washington riera @ 
re:[ | Date: 06/12/2001 b3 


b7E 
Category of Crime: 
Impairment: Theft of Information: 
x Malicious code inserted O1 Classified information compromised 
O Denial of service O Unclassified information compromised 


O1 Destruction of information/software © Passwords obtained 
x Modification of information/software 0 Computer processing time obtained 
[11 Telephone services obtained 
C1 Application software obtained 
[] Operating software obtained 
Intrusion: 
x Unauthorized access 
1 Exceeding authorized access 


REMARKS 
On May 5, 2001, Science an i ir web 
page defaced by unknown attackers. hired b6 
Wareforce, a computer security company, to fix the problem and bic 


install new patches. 


Wareforce sent 
to Science and Math Tutoring to repair any damage and install the 
atches to prevent future attacks using the same exploit. 
has performe ices at Science and Math Tutoring prior 
this service call. [updated the computer system with 


latest Windows NT patches. 


suggested toL_____—id|that a —— be 


submitted to the FBI regarding the incident. completed 
the National Infrastructure Protection Center Report and 
facsimiled the report to the Watch and Warning Unit located in 
Washington, D.C. on May 12, 2001. The report was later forwarded 
to the St. Louis Division on May 22, 2001. 


The web defacement had the same text as many other 
businesses in the St. Louis area. The message stated, "Fuck USA 
Government, fuck PoizonBOx, contact sysadmcn@yahoo.com.cn" 


was not familiar with his computer system b6 
enough to answer some_of the questions needed for this form so b7C 
advised SA to telephonically contact and 
ask him the technical questions. SA asked if 


would charge Science and Math Tutoring a fee for 
(eens Pee questions about their computer system. 


advised 2 a very nice and he should not 
have any problems answering the technical questions. 


Date: 06/12/2001 Be 
b7E 


Re: 


ro: counsexcexror Ml From: Washington ricra 


On June 12, 2001 sa[__]telephonicall contacted[ _| 
[__about[__ computer system. eroded the ae 
technical_information about the system such as CPU, Operating Bie 
system. [[__—srdJadvised that the system had a service pack 3 or 
4 on it and he upgraded to service pack 6 to prevent the same 
exploit from occurring again. 


+4 
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for Wareforce, 
Computer Security Technician, telephone number was 
telephonically contacted (eee Federal Bureau of 
Investigation (FBI), St. Louis Division. fter being advised the 
identity of the interviewing Agent, [| provided the following 
information: 


~ 


was contracted byL__ | Science 


and Math Tutoring located at 18 Arbor Road, St. Louis, Missouri, to 
secure his computer system after a web page defacement. 


suggested that[_____—sC*dwY comttact the National 
Infrastructure Protection Center (NIPC) to report the attack. 
had heard from other computer technicians this was the 
proper procedure for these types of web page attacks. 


SA asked about some of the hardware and 
software on system. [sid stated that[ was 
using a Compaq Proliant 1600 rack-mount running Windows NT 4.0. 


had service pack 3 or 4 on the system, which 
updated to service pack 6. 


stated that was using a dynamic IP 
address at the current time. also stated that a 


vulnerability in Internet Information Services (IIS) was what was 
exploited by the attacker (s) 


about the logs. [| statea 
that should be able t am a his system and retrieve 
the logs and e-mail those to sal- | 

ee completing the incident 

report for wrote on the bottom of page 3 where he 

had saved the logs from the attack had written at the bottom of 
hat he had placed log files from the hack in D:\hack\logs\. 
fP_[sussested that SA. | haveL_——sdi e-mail the logs to SA 


Investigation on 


(telephonically) 


File # Date dictated 96/13/2001 


by 


This document contains neither recommendations nor conclusions of the FBI. It is the property of the FBI and is loaned to your agency; 
it and its contents_are not to be distributed outside your agency. 


2. 5PZ 


b6 
b7c 


b6 
b7c 


bé | 
b7C 


b7C_ 


b3 
b6 
b7c 
b7E 


FEDERAL BUREAU OF INVESTIGATION 


(Rev. 08-28-2000) 


Precedence: ROUTINE Date: 06/19/2001 
To: Chicago Attn: Squad _ IP/C b3 
St. Louis b7c 
b7E 
From: St. Louis 
Squad 3 
Approved By: 
Drafted By: 
Case ID #: (Pending) 
Title: Hacker/Honker Union of China 
Illinois Secretary of State 
Intrusion 
04/03/2001 
Synopsis: Submit all case related documents from the St. Louis 
Division on above captioned matter. 
Reference: b3 
b7E 
Enclosure(s): Enclosed for the Chicago Division are the 
following case documents from victims in the St. Louis Division: 
1. Electranet- joi and one copy of FD-302 of 
interview of victim, one 1-A envelope 
containing notes of SA and FD-597 for receipt of two 
servers, one 1-A envelope containing FD-597 for return of two 
servers, copy of FD-801. b6 
b7C 
2. City of St. Louis, Water Division - One original 
and one co of FD-302 interview of 
one original and one copy of FD-302 o 
faxing documents to St. Louis Division, one 1-A envelope 
containing flo diskette with logs, one 1-A envelope containing 


notes of SA one copy of documents faxed to St. Louis 
Division, one copy of FD-801. 


b3 


: , a b6 
b7C 
b7E 


To: Chicago From: St. Louis @ 
re: (+) 06/29/2001 


3. Mary Institute and Saint Louis Country Day heel 
- One original and one copy of FD-302 interview Sa 
at MICDS, one copy of summary from 
one copy of e-mail message to 
st.louis@fbi.gov from one 1-A envelope containing 
floppy disk with logs, copy of FD-801. 


4. St. Louis Bridge Company - One co and one 
original of FD-302 interview of 
one 1-A envelope of zip disk with logs, hacker tools and N 
incident report, 13 pages of IP address Whois 1 rom 
copy of Incident Report and letter submitted ee ee O 
FD-801. 


5. Washington University - One original and one copy 
of FD-302 interview of 
original logs, e-mail message from to SA copy of FD- 
801. 


6. Science and Math Tutoring - 
original of two FD-302's of interviews of 


of FD-801. 


Details: 

Electranet 

On May 6, 2001,..s—t—é—“—s;™—C@diCWR ecttvrancett,, Web Host 
Development Company, telephonically contacted the St. Louis 
Division to report a web page defacement. The defacement 
consisted of the Red China flag, music believed to be the Chinese 
National anthem, and the text,"Honker Union of China" "Hacked by 
red freedom" _"USA=Nazi" "Bush=Murderer""Beat down imperialism of 
America". main server which was hosting fifty-three 
customer sites was attacked on 05.06/2001. [E Joureened 
another attack on his development/testing server on 05/07/2001, 

system was compromised and several files and directories 

were deleted by the attackers and passwords were changed 
preventing access by[____] or other users. [| could not 
produce any logs on the attack. 


On May 14, 2001, of St. Louis Water 
Division telephonically contacte Assistant 
Infraguard Coordinator, about _a web page defacement which 
occurred on 05/07/2001. faxed some documents to 

which included a very brief log. SA interviewed 
and received a floppy disk 


with logs and html code. The defacement did not reveal the text 


b3 
b7E 


b6 
b7C 


b6 
b7C 


b6 
b7C¢ 


b6 
b7C 


® b3 
To: Chicago From: St. Louis b7E @ 
Re: L_] 06/19/2001 


which was written in the code. The text should have read, "Fuck 
USA Government, Fuck PoizonBOx, contactsysadmcn@yahoo.com.cn". 
opined that because he does not_use Outlook to view 
ex é code did not work as designed. was concerned 
about how attackers made it pass his DMZ fFirewa configuration 
without the logs documenting the activity. [used the 
Checkpoint Firewall-1 Software. 


b6 
b7C 


Mary Institute and Saint Louis Country Day School 
On May 7, 2001, the Mary Institute and Saint Louis 
hool 


MICD cked with web defacements. 
e-mailed the St. Louis 

Division about the defacement. SA contacted and b6 
received a floppy disk with a very comprehensive log history. b7C 
The defacement consisted of the text (paraphrased) "F.. USA 

Gov.., F.. PoizonBOx, contact...cn". The text was in red with 

black background. [_______jattempted to send e-mails to the 

origins of the IP addresses, but all attempts bounced. 


St. Louis Bridge Company 
On May 14, 2001, the St. Louis Division received an 


incident report and letter (explained incident) from_the NIPC 


Watch and Warning Unit which had been submitted by ; 
St. Louis Bridge Company. SA 
contacted and received logs and IP address searches b6é 


conducted by[_____] The attackers were successful in accessing b7c 
the employee Intranet and displaying the defacement. A log 

showed the letters HUC, which is believed to stand for Honker 

Union of China. The hard drive on the_company's server was 

erased causing the system to crash. rey ee ee through his 

own investigation that his system was first breached on March 24, 

2001. 


Washington Universit Psycholo Department 

On May 11, 2001, the Washington University, Department 
of Psychology, data base server web page was def 
Ww. utilized in a research project nation wide. 


of the data pe 
provided b7c 


base server contacted the St. Louis Division. 
logs on the defacement, which was consistent wit 
defacements by the Honker Union of China, (paraphrased text) 
"FR, USA Gov.., ""F..PoizonBOx.""contact...cn". 


Science and Math Tutoring 


On May 12, 2001, an incident report was submitted to 
NIPC Watch and Warning Unit | Sarena Betence 
and Math Tutoring. The Incident Report was forwarded to SA b6 


St. Louis Division, who telephonically contacted y47¢ 
server was attacked with web defacement 


To: Chicago From: St. Louis ae @ 
re [+] 96/19/2001 


Similar to above stated cases. The defacement was as 


follows (paraphased) "F..USA Gov..""F..PoizonB..""contact...cn". 
contacted his b6 
who applied patches to the Windows NT system. b7c 


The St. Louis Division was made aware of other similar 
incidents of web page defacements by the above mentioned victims, 
however, there was not any reports or contact made by the actual 
victims of the attacks. 


The St. Louis Division considers this lead covered 
unless further advised by the Chicago Division. 
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(Rev. 08-28-2000) 


ROUTINE Date: 06/19/2001 


Chicago Attn: SA 
Squad IP/Cc 
b3 
From: Newark be 
Squad 2/Franklin Township Resident Agency b7C 
Contact: SA 732/805-0463 ext. 271 bvE 


Approved By: 


Drafted By: 


case ip #:[ Pendin| | 


‘Title: HACKER/HONKER UNION OF CHINA; 
ILLINOIS SECRETARY OF STATE; 
INTRUSION 
04/03/2001 


Synopsis: Report results of interviews of companies whose 
websites were defaced by captioned subject. lead covered. 


b3 


Enclosure(s): An original and two copies of FD-302's and 1A 
envelopes with a 3.5" disk and original interview notes for each 
of the following: ADP, INC., BURNS & ROE, CELARIX, INC., 
DATANOMICS, EDUNEERING, INC., FINANCIAL EXECUTIVES INTERNATIONAL, 
JANOME -AMERICA, NOURISON, PICATINNY FEDERAL CREDIT UNION, 
RAO.COM, SCREENZONE MEDIA NETWORKS, SOFTWARE PLUS, INC., TRIANGLE 
MANUFACTURING, and US MORTGAGE CORPORATION. One FD-71 form from 
each of the following: EBS TECHNOLOGY and TANGLIZE, INC. One 
Cyber Incident Report Form from GOAMERICA COMMUNICATIONS CORP. 


Details: Over the past two months, FBI Newark has received 
numerous reports from New Jersey companies whose web pages have 
been defaced with anti-American slogans and references to 
"PoizonBOx"., The media has reported these defacements are in 
retaliation for the Chinese spy plane incident this past Spring. 
FBIHQ advised FBI Chicago was coordinating the national 
investigation into these incidents. Subsequently, in the 
referenced communication FBI Chicago set a lead for FBI Newark to 
conduct logical investigation of New Jersey victim companies. 


Results of the requested investigations are enclosed. 
As all logical investigation at FBI Newark is complete, Newark 
considers this lead covered. However, FBI Newark will continue 
to forward other reports of such incidents as necessary. 
+ 
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ADP, Inc., ADP Boulevard, 


Roseland, New Jersey, telephone number was interviewed 


telephonically. After being advised of the identity of the 
interviewing Agent and the nature of the interview he provided the 
following information. 


ADP is a large provider of payroll and other data 


b7c 


processing services. Over a period of days beginning on 05/04/2001 


at least three of the company's websites were defaced with anti- 
American slogans and references. It is believed that the pages 


were accessed through known vulnerabilities. The web pages were for 


two different business units and two different sub-business units. 
The business units are located in different parts of the country, 
however at least one set of servers is hosted in Weehawken, New 
Jersey and may have suffered between $75,000 and $100,000 in 
damages. 


Additional information is being gathered by the _company 
and will be forwarded to the FBI by another ADP Sica ie I 
in the near future. 


ADP requested that details of this incident not be 
disclosed publicly. 


Investigation on 


5/4/2001 


at Somerset, New Jersey ua 
Date dictated 06/19/2001 P6 
b7c 


File # 


bTE 


by 


This document contains neither recommendations nor conclusions of the FBI. It is the property of the FBI and is loaned to your agency; 
it and its contents are not to be distributed outside your agency. 
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FEDERAL BUREAU OF INVESTIGATION 


Precedence: ROUTINE Date: 05/18/2001 
To: Oklahoma City Attn: SSA 
Los Angeles Attn: SA 
J Chicago Attn: SA 
From: Oklahoma City b3 
Squad 8 b6 
Contact: SA 405/290-7770 — 
b7E 


Approved By: 


Drafted By: 


Title: UNSUB(S) ; 
TUCKER TECHNOLOGIES, INC. - VICTIM; 
LION INTERNET WORM VIRUS 


Synopsis: To document telephone conversation with victim 
company. 


Enclosures: 3.5" floppy disk containing "tarball" of information 
relating to virus, for SA 
On 5/2/2001, writer was telephonicall 


Details: contacted by 


b6 
b7Cc 
b7D 


ocated at 


TTI is a wireline logging business with sites located 
in North and South America, specifically in Brazil, Columbia, 
Venezuela, Trinidad, Canada, and the United States. MTTI’s world 
headquarters is located in Trinidad. TTI’s North American 
headquarters is located in Houston, Texas. MTTI’s Research, 
Development, and Production facility is located in Tulsa, 
Oklahoma. All of TTI’s information technology operations are run 
from the Tulsa site, which runs a Linux network. 


TTI is hired by oil companies to gather data about oil 
and gas wells. TTI gathers data by lowering a wireline (a cable) 
into these wells. 


The oil business is very competitive and TTI maintains 
confidential client data within their computer network. 


b3 
bTE 


ec 


Oe eee ee cheten eae eed 


C 


To: _Oklahoma City “From: Oklahoma City bIE 
Re: [| 05/18/2001 


At approximately 3:30 a.m. on 3/22/2001, a hacker 
infiltrated a TTI computer located at a subsidiary site known as 
Tucker Wireline Services in Calgary, Canada. The infiltration 
was discovered because a worker noticed that the worker’s machine 
was slow. The worker investigated the cause by looking for the 
processes that were using the machine’s resources. 


[__]exptained that not only was a virus/worm 
discovered, but it appeared that the intruder used the virus/worm P® 
to gain entry into the compromised computer. The virus/worm Bis 
exploited the known vulnerabilities with daemons and compromised aes 
the computer through a root exploit. The compromised computer 

was running old software. Once the virus/worm installed itself, 

it looked for other machines to attack. The virus/worm gathered 
password files and shadow files and sent these files out via e- 

mail to li0Onssniffer@china.com and to 1i0Qnip@china.com. 


The virus/worm shut down all logging, so the only 
tracing that TTI could do was through the aforementioned e-mail 
addresses. 


TTI got hold of the administrator at China.com, who was 
located in San Francisco, California. The administrator told TTI 
that the actual server for China.com was located in Beijing. The 
administrator also told TTI that a police officer from Garden 
Grove Police Department, Garden Grove, California, also called to 
inquire about the same issue. TTI acquired the officer’s name, 
contacted him, and ultimately discussed the intrusion with this 
police officer. 


Concerning damages, TTI’s data center was “out of 
commission” for two days. Thousands of dollars run through this 
center every day. Also, two employees were occupied full-time 
for these two days trying to recover/fix the network. 


[nee not believe the intruder obtained any bé 
proprietary information. also thinks that this attack was b7c 
a random attack and that TTI was not specifically targeted. b7D 
explained that TTI’s network is now secure. 
a explained that he has a “tarball” of all files 
used/discovered from the intrusion. stated that he will 


cooperate in any way necessary to help authorities. 


Writer performed a Sam Spade DNS check of China.com and 
discovered that China.com comes back to IP address 202.84.13.20. 
This IP address resolves to a Unix HTTP server running 
Apache/1.3.9. 


mae, 


arena hae ve BESS HR 


MAEDA DEINE A sae nm et eer a scmreeneerecetty 


a ep aR IE 


Oklahoma City 


a City »... 


05/18/2001 
Writer performed a 


To: 
Re 


To: _Oklahoma oe Oklahoma City 
Re: [| 05/18/2001 


b3 
b7E 


LEAD (s): 
Set Lead 1: 
CHICAGO 
AT CHICAGO, I 
Read and clear.. 


Set Lead 2: (Adm) 


LOS ANGELES 
AT LOS ANGELES, CA 


Read and clear. 
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bé 
BURNS & ROE, 800 Kinderkamack Road, b7c 
Oradell, New Jersey 07649, telephone number were 
interviewed telephonically. After being advised o e identity of 


the interviewing Agent and the nature of the interview, they 
provided the following information. 


BURNS & ROE is an engineering company whose worldwide 
headquarters is located in Oradell, New Jersey. The company's web 
servers are also located in New Jersey and run WindowsNT Internet 
Information Server (IIS) version 4.0. Early on the morning of 
5/6/2001 network personnel noticed a series of port scans which 
originated from IP address 210.111.144.15 which resolved to SK 
Telecom in South Korea. Subsequent to this scan, at approximately 
9:40 a.m. on 5/6/2001, the BURNS & ROE web site, www.roe.com, was 
defaced. The source IP address of the defacement was also 
210.111.144.15 and consisted of the following message: "fuck USA 
Government, fuck PoizonBox, contact:sysadmcn@yahoo.com.cn". 

advised it appeared someone accessed the command shell and 
executed an "echo" command which allowed root access and the 


ability to overwrite the BURNS & ROE default page. There was no 
other known damage to the web site or to parts of the network. 
Original_interview notes, a 3.5" diskette containing log 
files provided byL____] and hard copies of the log files are 
enclosed in the attached 1A envelopes. 
Investigation on 05/07/2001 at Somerset, New Jersey (telephonically) ze 
File Date dictated 5/14/2001 b7c 
b7E 


by 
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CELARIX, INC., 1 Meadowlands Plaza, East 
Rutherford, New Jersey 07073, telephone number[_________] was 
telephonically interviewed. After being advised of the identity of 
the interviewing Agent and the nature of the interview, he provided 
the following information. . ee 

CELARIX, Inc. is a company which develops web 

applications. an employee, advised that at 11:00 a.m. on 
5/10/2001 the company's web site, www.rateexplorer.com, was 
defaced. The defacement consisted of the following message "fuck 
USA Government, fuck PoizonBOx, contact:sysadmcn.yahoo.com.cn". 


CELARIX hosts their own web site. The servers are 
located in New Jersey and operate using Windows NT IIS version 3.0 
and Windows 2000 version 5.0. stated the intruders were j4¢ 
able to access the "cmd.exe" file, execute a "dir" command, gain p76 
root access, and then change the cmd.exe file name. 


The original FD-71 and a 3.5" diskette containing the 


logs documenting the intrusion are enclosed in the attached 1A 
envelope. 


Investigation on 05/10/2001 * Somerset, New Jersey (telephonically) 43 


b6 
| | bTE 
by SA : 


This document contains neither recommendations nor conclusions of the FBI. It is the property of the FBI and is loaned to your agency; 
it and its contents are not to be distributed outside your agency. 
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DATANOMICS, Inc., 200 Centennial 
Avenue, Suite 140, Piscatawa New Jersey 08854-3923, telephone 
number 732/981-0192, ext. was interviewed telephonically. 
After being advised of the identity of the interviewing Agent and 
the nature of the interview, she provided the following 


: ‘ b6 
information. 


b7C 


[naa previously submitted a Cyber Threat and 
Computer Intrusion Incident Report to the National Infrastructure 
Protection Center Watch and Warning Unit. The purpose of this 
interview was to follow-up on the information in her report. 


DATANOMICS is an information technology consulting 
company. On 5/8/2001 and 5/11/2001 the default files on three of 
their web servers were replaced with the language "Fuck the 
government" and "Poizonbox". The attack appeared to originate from 
IP address 160.227.14.65 and occurred as a result of a 
vulnerability in WinNT IIS 4.0. Although the servers are connected 
to an internal computer network, no further compromise was detected 
nor have there been any additional attacks since the WinNT patch 
was installed 


Enclosed in a 1A envelope is the Cyber_Threat and b6 
Computer Intrusion Incident Report submitted by[__ | to the NIPC. b7c 


Investigation on 


05/18/2001 Somerset, New Jerse 


File # Date dictated 05/18/2001 bic 


b7E 
by 
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Date of transcription 05/10/2001 


EDUNEERING, INC., 100 Campus Drive, Suite p¢ 
100, Princeton, New Jersey 08540, was advised they7c 
identity of the_j viewing agent and the nature of the 
investigation. ae provided the following information: 


[ said EDUNEERING runs a commercial site for FDA 
Training and the site was down on 5/7/01 from 6:30 am for three (3) 
hours. esa EDUEERING's web page was replaced with anti USA 
Government remarks and was part of the ongoing China-USA hacking b6 
conflict. EDUNEERING's largest clients were not able to access the p7c 
site and they incurred a loss in excess of $5,000. has not 
calculated an exact loss amount. As a result, made the 
necessary system patches to eliminate the securit oles. 
was able to restore the site from backups. [ose Jeevicwed an 
executable and batch file that was used to propagate the attack and 
identified an IP address, 216.205.125.115. 


[said that he would send logs of the incident that b6 


were received by FBI Newark on May 8, 2001. A copy of the log has b7c 
been placed in the file. 


05/08/01 


at Somerset, New Jersey (telephonically) 3 
b6 


Date dictated 05/10/01 b7c 
b7E 


it and its contents are not to be distributed outside your agency. 
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FINANCIAL EXECUTIVES 
INTERNATIONAL, 10 Madison Avenue, Morristown, New Jersey 07960, 
telephone number was telephonically interviewed. 
After being advised of the identity of the interviewing Agent and 
the nature of the interview he provided the following information. 


contacted the FBI on 5/4/2001 to advise that on that 
day between 8:15 a.m. and 8:30 a.m. the main page and a seldom used 
secondary page of the web site of his company, FINANCIAL EXECUTIVES 
INTERNATIONAL (FEI), had been defaced. The defacement of the site, 
located at the URL www.FEI.org, consisted of anti-American language 
and symbols supporting the Chinese, including photographs of 
Communist leaders and a message of support by 
Ukrainian/Russian/Belarussian hackers. The defacement was signed 


"ttyO", "Microfobia Group/GMF Team", and "Zenienss Uniao Hacker". 
Greetings were sent out to "SUB-SYS", "GMF", "f4nt4sy", "COBR4S 
T34M, "ZUH", "[P(\)W], and "AHB". Some of the defacement is 


written in Spanish and references Brazil. 


FEI hosts its own web page from a Windows NT operating 
system.[_]believes the page was compromised through an FTP 
password vulnerability. 


The original FD-71 complaint form and original interview 
notes, as well as a 3.5" diskette containing computer logs and 
copies of the defaced pages are enclosed in the attached 1A 
envelopes. 


Investigation on (telephonically) 


Date dictated 05/14/2001 
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Date of transcription 5/14/2001 


Po) saNome-amertca, INc., 10 


Industrial Avenue, Mahwah, New Jersey 07430, telephone number 
973/825-3200, ext. was interviewed telephonically. After being 
advised of the identity of the interviewing Agent and the nature of 
the interview, she provided the following information. 


[filed an on-line report with the National 
Infrastructure Protection Center Watch and Warning Unit on 
05/04/2001 regarding a compromise of her company's web site. Ina 
follow-up conversation, she advised that on 05/03/2001 between 7:00 
p.m. and 11:00 p.m. an unknown individual overwrote two pages of 


b6 
b7Cc 


the company's web site with the following: "F*&k USA Government, b6 
£*Sk PoizonBOx, contact:sysadmcn@yahoo.com.cn". The IP addresses 47. 


of the two overwritten JANOME pages are 12.44.51.3/NFUSE and 
12.44.51.4/NFUSE. Both IP addresses are behind a recently 
installed firewall and are assigned to pages remote users log on 
to obtain access to the company's internal networks. was 
not sure what exploit was used to compromise the web page, but 
suspected it may have been through an open port. There did not 
appear to be any additional damage to the site, nor did it appear 
that the internal networks had been accessed. 


A copy of the intrusion report forwarded by NIPC, as well 
as a 3.5" diskette containing logs and other files related to the 
intrusion which were provided by[ Jaze enclosed in the 
attached 1A envelopes. 


Investigation on 


05/10/2001 at Somerset, New Jersey (telephonically) 
Date dictated 95/14/2001 


File # 


by 
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Date of transcription 05/10/2001 


NOURISON, 5 Sampson Street, Saddle Brook, 


New Jersey was advised the identity of t 
interviewing agent and the nature of the investigation. b6 
then provided the following information: 


said that NOURISON's web page was replaced_on 
Saturday, Sunday and Monday, May 5 through the 7th, 2001. 
said that his page was one of the many being defaced as a result of 
the Solaris server worm exploit initiating the attack. 6 
webpage had anti USA Government remarks and_was part of the ongoing 
China-USA hacking conflict. As a result, made the necessary 
system patches to eliminate the security holes. said there 
was no loss of data or significant manual labor charges as a result 
of the defacement. rd was able to restore the site from 
backups. 


b6 
7¢ 


b6 
said that he would send logs of the incident that p7c¢ 
were received by FBI Newark on May 9, 2001. A copy of the log has 
been placed in the file. 


ation _on at Somerset, New Jersey (telephonically) 3 
Date dictated 95/10/01 b6 
b7c 
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}3 3,303 
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PICATINNY FEDERAL 
CREDIT UNION, 10 ineral Springs Drive, Dover, New Jersey 07801, b6 
telephone oo ae aaPER er interviewed telephonically. b7C 
After being advised of the identity of the interviewing Agent and 
the nature of the interview, he provided the following information. 


a previously submitted a Cyber Threat and 
Computer Intrusion Incident Report to the National Infrastructure 


Protection Center Watch and Warning Unit. The purpose of this 
interview was to follow-up on the information in his report. 


advised that between 7:45 p.m. on 5/13/2001 and 6 
8:00 a.m. on 5/14/2001, one of their non-public web pages, bi 
springer.picatinnycu.org, was defaced with references to "Poison 
Box". Review of computer logs indicated the defacement originated 
from the IP address 202.195.100.2 and occurred as a result of 
either a vulnerable IIS server or the "sadmin" worm virus. 
Although the springer.picatinnycu.org server is connected to an 
internal network, there appeared to be no further damage beyond 
that of the web page. : 


A copy of the Cyber Threat. and Computer Intrusion 
Incident Report sent to the National Infrastructure Protection 
Center Watch and Warning Unit is enclosed in the attached 1A 
envelope. 


Investigation on 05/18/2001 4 Somerset, New Jersey (telephonically) 43 
b6 
File # Date dictated 95/21/2001 b7c 
b7E 
by SA | | 
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Date of transcription 06/04/2001 


| CO 392 Atwood Place, Wyckoff, New 
Jersey 07481, telephone number 201/652-1500 ext. was interviewed 
telephonically. After being advised of the identity of the 


interviewing Agent and the nature of the interview he provided the 
following information. 


[_____] advised that his web site, www.RAQ.com is used to 
market and sell framed artwork his company manufactures. RAO.com 
is a government contractor and the web site has a link to the 
Government Services Administration web site. The severs for this 
site are located in Hartford, Connecticut. On 05/25/2001 between 
7:00 a.m. and 7:15 a.m. the web site w faced with references to 
"Fuck USA government" and "PoizonBox". stated the web site 
only has been up for about one week and took about 65,000 hours of 
programming. They did not have any logs available, but had a 
backup of the site and used that to replace the defaced page 
without any loss of -business. 


Investigation on 


File # Date dictated Q6/04/2001 
by 


This document contains neither recommendations nor conclusions of the FBI. It is the property of the FBI and is loaned to your agency; 
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Date of transcription 05/10/2001 


= SCREENZONE MEDIA NETWORKS, 18 S. 
Orange Avenue, South Orange, New versey[ was advised b6é 
the identity of _the interviewing agent an é nature of the b7c 
investigation. then provided the following information: 


[dsaia that SCREENZONE's web page was replaced on 
Saturday, Sunday and Monday, May 5 through the 7th, 2001. The 


first two attacks occurr 248 and the third attack occurred 
at 21:48, respectively. said that his page was one of the 6 
many being defaced as a result of the Solaris server worm exploit nis 
initiating the attack. webpage had anti USA Government 
remarks and was part of the ongoing China-USA hacking conflict. As 
a poste ho nae the necessary system patches to eliminate 
the security holes. said there was no loss of data or 
significant manual labor charges as a result of the defacement. 
ease able to restore the site from backups. 
explained that a batch file copied the cmd.exe 
file to root.exe, whereby when the root.exe was run in DOS, the b6 
website was updated with the defaced webpages. b7c 
[sata that he would send logs of the incident 
that were received by FBI Newark on May 9, 2001. A copy of the log 
has been placed in the file. 
Investigation on 05/09/01 at Somerset, New Jersey (telephonically) 
File # Date dictated 05/10/01 b6 
b7C 
by b7E 
This document neither recommendations nor conclusions of the FBI. It is the property of the FBI and is loaned to your agency; 


it and its contents are not to be distributed outside your agency. 
wt ; | 


ee 


FD-302 (Rev. 10-6-95) 


FEDERAL BUREAU OF INVESTIGATION 
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SOFTWARE PLUS, INC., 
25B Hanover Road, Florham Park, New Jersey 07932, telephone number  b6 
was interviewed telephonically. After being advised b7c 
of the identity of the interviewing Agent and the nature of the 
interview, he provided the following information. 


[__Jeontactea the FBI on 5/10/2001 and advised his 
company's web site, located at the IP address 62.236.17.2, had been 
defaced on 05/06/2001, 05/09/2001, and later advised it was defaced,, 
again on 5/12/2001. The defacement, which originated from IP b7c 
address 199.38.132.12, consisted of the following message: "fuck 
USA Government, fuck PoizonBOx, contact: sysadmcn@yahoo.com.cn". 

There was no additional damage. SOFTWARE PLUS hosts its own web 
page on a server running Windows 2000. did not know how the 
attackers were able to penetrate the web site. 


The original FD-71 and a 3.5" diskette containing log 
files provided by[ __Jare enclosed in the attached 1A envelopes. 


b6 
b7C 
Investigation on at Somerset, New Jersey (telephonically) b3 
b6 
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[| TRIANGLE MANUFACT Pp ant b6 
Avenue, Upper Saddle River, New Jersey o74s8, Pas bic 
advised the identit interviewing agent and the nature of 
the investigation. ae provided the following 

information: 


said that two files on TRIANGLE's web page was 
replaced with "Fuck US Government" and was part of the many 
webpages being defaced in the ongoing China-USA hacking conflict. 
As a result, ]made the necessary system patches to 
eliminate the security holes replaced the webpage from backups and 
incurred no loss. gata that he did not have any logs of 
the incident and no additional information. 


Investigation on 


05/09/01 at Somerset, New Jerse (telephonically) 
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US MORTGAGE CORPORATION, 19 Chapin Road, Pine 
Brook, New Jersey 07058, (973) 244-7100, ext[____] was advised the 
identity of the_j viewing agent and the nature of the 
investigation. Boo ene provided the following information: 


[ said that_US MORTGAGE's web page was replaced on 
Sunday May 5th, 2001. [said that his page was one of the many 
being defaced as a resu Solaris server worm exploit b6 
initiating the attack. [ot webpase had anti USA Government b7c 
remarks and was part of the ongoing China-USA hacking conflict. As 
a result, [____]made the necessary system patches to eliminate the 
security holes. [—__]said there was no loss of data or 


significant manual labor charges as a result of the defacement. 
was able to restore the site from backups. 


said that he would send logs of the incident that  b6é 
were received by FBI Newark on May 9, 2001. A copy of the log has b7c 
been placed in the file. 


Somerset, New Jersey (telephonically) b3 
b6 


Date dictated 95/10/01 b7¢ 
b7E 
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‘Complaint Form 
FD-71 (Rev. 3-27-95) 


NOTE: Hand print names legibly; handwriting satisfactory for remainder. 
Indices: x] Negative {j See below 


Subject's name and aliases Character of case 


UNSUB 
Complainant =| Source 


Tanglize Incorporated 


Complaint received 


CJ Personal [XJ Telephonic Date 06/05/2001 Time_1730 


Address of Subject Complainant's address and telephone number 


UNKNOWN -- Internet address 210 William Street 
Boonton, NJ 07005 


Complainant's DOB 


unk unk unk unk unk-poss middle eastern 
Age [) Female Weight Eyes Complexion Social Security Number 
fe [OY foe ae doe | 


Scars, marks and other, data 

unk 

Employer Address Telephone 
unknown unknown 


Subject’s 
Description 


Vehicle Description 


Facts of Complaint, 

[| ___doe Tanglize Inc. called the duty agent to report an 
Internet hacker. Tanglize Inc. designs and hosts web sites for companies 
and is located in Boonton, New Jersey. Recently complainant has noticed 
statements against the US government, however, the have not been threats 
to this point. The messages that were posted, but did not appear on the 
web site, stated “F... the United States Soe anene (ES eee 
that since his service is on an NT system the hacker is using an ASP 
function to place files on his server. ae re placed 
patches on his site that has temporarily blocked this person from 
accessing his site. Today just after 5 pm complainant received a phone 
call from a man with a heavy middle eastern or Indian accent. The man 
stated that he was his ISP, give_me_your E-Mail. Complainant asked for 
his name, his response was I am Complainant has server logs with 
IP address of person hacking his site. Do not write in this space. 


mm = received by) BLOCK STAMP 


b7E 


Cyber 


1 of 2 


MAY. 11,2004 FA 31PM FBI HQ SIOC NO. 269 P.2 


LUVLUGLL REPUTE For ADL 


Subject: Cyber Incident Report Form 
Date: Fri, 11 May 2001 15:26:39 -0400 


or | BIC 


01-489-6750 


Organi zation=goamezxi mmunications corp. 


Addrs Street=433 hackensack avenue 
City=hackensack 


State=nj 
Zip Code=07601 


Country=usa 

Questioni Organization=same 

Questionl_Contact_Info= 

Question! | “Tele _Number= 

QuestionlL | _ Street=same 

Questionl City State_Zipcd= 

Questionl Country= 

Questionl_Email= 

Question2 Location=401 hackensack avenue, 4th floor 

hackensack, nj 07601 

Question3 Date Time=5/11/01 - 6:46 am est and previous days 

Question4 “Critical= Yes 

Questions _ erit_infrasture=Telecommunications 

Questions | “Remarks=No Remarks 

Question6_nature_of prob=Intrusion 

Question6 nature of prob=Unauthorized root access 

Question6 nature_of prob=Web site defacement 

Questioné : nature of prob= Compromisé of system integrity 

Questioné_ other= 

Question7 _exp problem=Yes 

Question? Remarks=wea found that 2 of our windows nt 4.0 sexver running iis 
4.0 (load” balancing) had their default.htm/asp and index.htm/asp replaced. 
we discovered this on 5/10/01 and reinserted our reqular page. on 5/11/01 
at 6:46 am est, these 4 files were replaced again. 

Question’ method_of_attack=Vulnerability exploited 

Questions 3 “method_ of attack-Unknown 

Question’ Remarks=we found that these servers are not running the latest 
microsoft security updates, but we can't just throw them on without testing. 
QuestionS_sus perpetrators=Other 

Question? Remarks=seems to be part of the ‘chinese attack' on us sites. a 
derogatory page towards the us gov't is put in place. 

Questionl0_ ip addrs= 

Questionll_evid_of_spoof=Unknown 

Questionl2_. Oper | “systems=NT 

Question12_ ~Remarks=dell poweredge rack servers running windows nt 4.0 spé 
and iis 4.0 

Questioni3 security_infrasture=Firewall 
Questioni3_security_infrasture=Packet filtering 

Question14 attack _ loss_info=Unknown 

Question14 _Remarks=No Remarks 

Question15 “damage __ systms=No 

QuestionlS Remarks=No Remarks 

Question16_ what_actions=Other 

Questionlé | “what _ _actions=Log files examined 

Question1l6_ Remarks=we've tightened some of the ntfs security permissions, 
removed some unnecessary files and services. we're planning an upgrade to 
the latest security patches from microsoft (after testing). 


Questionl? Field Office= b3 
Quastionl7_fieldoff_inform=No 
= b7E 
5/11/01 3:49 PM 


Cyber 


2 of 2 


M 
WY 42084, 9: 31iPM FBI HQ STOC 


» 
“ 
a. v 


Questionl8 agency inform=No 

Question18 State _, Tocal Police= 
Questionl8 Inspector General= 
Questionl8_CERT-CC= 
Question18_FedCIrkRc= 

Questionl&$ JTF=CND= 

Questionl8 Other= 

Questionld_date_ of _lLast_update=5/11/01 
Questionl9’ org_ work _update=internal 
Question20 POC Information= 
Question20_sys_adm_contract=No 
Question21 remarks=No additional remarks 


NO. 299 


P.3 


5/11/01 3:49 PM 


MAY. 14.2004 
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FBI FACSIMILE 
COVER SHEET 
PRECEDENCE CLASSIFICATION 
L} Immediate [J Top Secret Time Transmitted: 
Priority [_] Secret Sender's Initials: 
CJ Routine C1 Confidential Number of Pages: _7%, 
7) Sensitive (including cover sheet) 
[3] Unclassified 
To: Newark Dare: 05/11/2001 
Name of Office 
Facsimile Number: _973-792-3035 
Atn: SSA BIC 
Name Room Telephone 
From: NTPC Watch 
Name of Office 
Subject: Cyber Incident Report 
Special Handling Instructions: 
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Approved: 


Brief Description of Communication Faxed: 


‘WARNING 
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Date of transcription 06/13/2001 


The Geektools.com public Internet website was queried to 
determine the registration for the following Internet Protocol (IP) 
addresses: 


208.177.103.98 
211.136.17.141 
202.241.213.160 
133 .38.151.20 


The following represents the results of these queries: 


IP Address Registration Information 
208.177.103.98 Concentric Network Corporation 


1400 Parkmoor Avenue 
San Jose, California 95126 


211.136.14.141 China Mobile Communications Corporation 
202.241.213.160 C-Live Henseikyoku 
133.38.151.20 Japan Network Information Center 


Fuundo Bldg. 3F, 1-2 Kanda-Ogawamachi, 
Chiyoda-ku Tokyo, 101-0052, JP 


The print-outs containing more detailed information will 
be maintained within the Exhibit Section of the investigative file. 


It should_be noted that the aforementioned IP addresses 
were obtained from Eligibility b6 
Services, Incorporated (ESI), 4144 North Central Expressway, Suite b7Cc 
210, Dallas, Texas, 75204 who, in turn, obtained the addresses from 
ESI's computer logs after ESI's web pages were defaced during the 
month of May 2001. 


Investigation on 


Texas 
b3 


b6 
b7C 
b7E 


File # Date dictated Q6/13/02 
by 


This document contains neither recommendations nor conclusions of the FBI. It is the property of the FBI and is loaned to your agency; 
it and its contents are not to be distributed outside your agency. : 
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Suite 210, 
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also known as 


Dallas, Texas, 75201, te 


Incorporated (ESI), 4144 N. af 
[cellular telephone 2S coe 
Social Security Account Number was 


advised of the 


identity of the interviewing agent and the purpose of the 


interview. 


[jn 


for approximately 


then provided the following information: 


as_been employed with ESI as the System Engineer 


=a 


problems resulting from the intrusion of ESI's 
which occurred on May 7, 
which provides technical consulting to businesses in the health 


industry. 


the use of a diagram he provided. 


2001 and May 8, 2001. 


He was responsible for addressing the 


computer system 
ESI is a company 


Part of its responsibilities includes developing 
databases for these companies. 


(i, 1) @eserined the company's network system through 


The webservers which were 


victimized on May 7, 2001 and May 8, 2001, use the Windows NT. 4.0 
operating system with IIS 4.0 software and are labeled on the 
diagram as "ESTPDCDALLAS" and "WEBSERVER". The 
addresses handled under the ESIPDCDALLAS server are 
www.esinetwork.com which is the main site and contains the 
corporate web page and www.mail.esinetwork.com_, which is the 


employee Internet mail network. 


strictly for employees to access their E-mail. 
as WEBSERVER on the diagram handles the following Internet sites: 


1.  www.northtexasvipercilub.com 
= as Car racing. : 


2. 


two Internet 


The Internet mail network is 


The server listed 


This is sponsored by ESI's 


and pertains to a club involving certain sports 


www.texastrathlon.com: This is a similar club sponsored by 


ESI's 


www.hauk-i.com This is a website which was recently turned 
over to another company but was still being operated)by ESI 


when the defacements occurred. 


Date dictated 


06/12/01 
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Continuation of FD-302 of [sd ,On 06 / 07 / O1 , Page 2 


4. www.ljbb.com : This is ESI's investment site which provides the 
public with information regarding investment 
opportunities. 


5. Www.medica-inc.com This is a site which once provided medical 
information and is no longer operational. ESI had no specific 
operational use for this site, and thus, once the intrusion 
occurred, ESI removed the site.- 


6. www.lopeznet.com This is another site operated by ESI. [ 
did not provide additional information regarding this site.) 


The servers contain some corporate sensitive information 
to include some financial data of the company which is restricted 
to specific individuals. The web pages displayed to the users do 
not have a logon banner with the exception of the employee E-mail 
site. 


The network has a firewall (Watch Guard Firebox) as part 
of its security. The two servers mentioned above are under lock 
and key at all times and only three employees have access to the 
room where the server is stored. Only three employees have remote 
access to the network. Approximately 400 employees can access 
their E-mail through the Internet. 


The following represents the events which occurred 
shortly before, during, and after the web page defacement: 


On May 7, 2001,[ _]became aware of the intrusion after 
several employees attempted to retrieve their E~mail and noticed 
their web page had been defaced. also received several calls 
from vendors and clients who contacté im to advise him of 
defacements to ESI's public websites. 


The defacements contained the words, "fuck USA 
Government" along with other information. [__] provided a compact 
disc (CD) which contains a copy of the defacement. 


(sat showed[___] copies of the web pages 


of www.ljbb.com captioned LJBB Investment Group, LP; 
www.texastriathlon.com captioned TexasTriathloncom; and 


rthtexasviperclub.com captioned North Texas Viper Club. 
lcontimned that the web pages represented some of ESI's web 


pages which were defaced.) Based on a review of the computer logs, 


b3 
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b7E 
determined that the defacements occurred several times during 
May 7, 2001 and May 8, 2001. [_|copiea the logs on the 
aforementioned CD. The CD also contains the script used by the 


intruder. b6 


b7C 


has no indication that the intruder accessed the 
information on the servers. noticed, however, that some of 
the log files were infected by a virus, PEARL SADMIND WORM. He 
opened the files under the Word Program and saved them as Word 
documents. [| does not believe any other files were infected. 
has applied patches to the system to avoid any further 
similar intrusions. 


Based on the review of the logs, four Internet Protocol 
(IP) addresses of the intruder were captured on the logs. bé6 
conducted a trace route of these addresses on May 8, 2001. The b7c 
results indicated that the IP addresses correspond as follows: 


208.177.103.98 XO Communications, Georgia ISP 
211.136.117.141 Net Plus, Hong Kong ISP 
202.241.213.160 C-Live, Japanese ISP 
133.38.151.20 Sai Tama University, Japan 


BW 


[| has Monitored the firewalls to ensure there are no Be 
abnormalities. has not noticed any major port scanning after b7C 
May 8, 2001. 


Approximately 20 hours of repair were conducted because 
of the intrusions. The financial loss to the company resulting from 
the web page defacements is estimated at $4,000.00. (20 hours @ 
$200.00 per hour.) A letter containing the breakdown of this 
figure is contained within the aforementioned CD. 


The following items will be maintained within the Exhibit 
section of the investigative file: 


b6 


1. Diagram of the network system provided by es 


2. One CD containing copies of the logs, web page 
defacement, and the aforementioned letter. 
3. Copy of the original web pages shown to 


Po 
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The Geektools.com public Internet website was queried to 
determine the registration for the following Internet Protocol (IP) 


addresses: 
216.221.210.134 
159.121.129.55 
211.101.145.202 
146.155.1.15 
The following represents the results of these queries: 
IP Address Registration Information 
216.221.210.134 Maxlink Communications Inc. 
1 Yonge Street Suite 2415M5EH1E5, CA 
159.121.129.55 State of Oregon, Department of Administrative 
Services, 550 Airport Rd., Salem, OR 97310 
211.101.145.202 HCINT 
Room 907 Building C, TianYin Tower. No.D2 
South Avenue FuxXingMen Beijing, CN 
146.155.1.15 SECICO 


Vicuna Mackena 4860 
Santiago, Chile 6904411 


The print-outs containing more detailed information will 
be maintained within the Exhibit Section of the investigative file. 


It should be noted that the aforementioned IP addresses 


were obtained from Richmont, 17855 
Dallas Parkway, Dallas, Texas, 75240, who, in turn, obtained the 
addresses from Richmont's computer logs after Richmont's web pages BG 
were defaced during the month of May 2001. bie 


Investigation on 


06/13/01 


b3 
File Date dictated 06/13/01 b6 
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Richmo s 
Parkwa Dallas, Texas, 75240, telephone number born 
Social Security Account Number was 


of the interview. then provided the following information: 


[___]nas been employed _as the Network Analyst for 
Richnont for approximately[ Vis 
responsible for Richmont's infrastructure. Richmont is a 


marketing-focused merchant bank. 


|__] describe the company's network system through 
the use of a diagram he provided. The webserver which was 


victimized on May 5, 2001 through May 14, 2001 uses the Windows 
2000 operating system with IIS 5.0 software and is labeled on the 


advised of the of the interviewing agents and the purpose 


diagram as the ISA Server. T er contains Richmont's web page 
and receives e-mail as well. does not consider any of the 
information on the server to be classified. At the time of the 


attacks, the web page did not have_a logon banner warning 
unauthorized users not to eee a eee has since 
installed a logon banner. The website is designed so anyone can 
log on. Passwords are required for employees to enter the other 
servers depicted on the schematic. 


The network has a firewall installed as part of their 
security which is handled by a third party, AT&T. The web server 
is under lock and key at all times and only two or three employees 
have access to the room where the server is stored. There are 250 
user workstations. Approximately 100 employees have remote access 
to the network. In order to access the system remotely, the 
employees must go through the AT&T security. As long as their 
Internet Protocol (IP) address falls within a specific range, the 
employee is authorized to enter. 


During the time period May 5, 2001 - May 14, 2001, the 
Richmont web page experienced defacements. Based on a review of the 
network logs 2 al the following represents the dates, times 


and IP addresses from which the computer intrusions occurred: 


anomie) aaa 
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Date Time IP Address 

5/5/01 7:13 P.M. 216.221.210.134 

5/8/01 4:22 A.M. 159.121.129.55 

5/12/01 8:15 A.M. 211.101.145.202 

5/14/01 2:40 A.M. 146.155.1.15 
b6 


conducted a trace route command from the Disk 
Operating System (DOS) line on May 17, 2001 for all the Bie 
aforementioned IP addresses and y successful in tracing 
146.155.1.15 to Leonera.puc.cl. Cacia) ee this is a site in 
China. 


On May 21, 2001, at approximately 3:48 P.M., an 
unsuccessful intrusion attempt was_made from IP address 
61.156.28.14. This occurred after had rebuilt the server. 
(Richmond's old IP address was 206.104.102.32, and the new IP 
address is 209.39.241.33.) On May 25, 2001, another unsuccessful 
attempt was made. commented, however, that this last port 
scan may have been him testing the system. 


Based on his research,[___] believes the intruder bé 
entered through port 80 of the router and placed the following two b7c 
files throughout the system: 


default.htm 
default.asp 


This resulted in the web page defacement. Although| _| on 
did not maintain a copy of the defacement, he remembers it read 
something to the effect of "Fuck US Government Fuck USA" 

[does not believe any further damage occurred to the 
system. He does not believe any of the additional servers of the 
network were affected. scanned the entire machine and noted 
that nothing had been modified. The latest patch installed in the oe 
system.was on May 15, 2001 which was patch 0293826. KIC 


(sa[___ | showed[|__]a_ copy of the web page of 


www.richmont.com captioned WELCOME TO RICHMONT. [| confirmed 
that the webpage represented the company webpage which was 
defaced.) rovided logs pertaining to the intrusions listed 
above. SA ee cone ber Incident 
Report whic Oo nipc.watch@fbi.gov. confirmed he 


FD3 02a (Rev. 10-6-95) 


b3 
b6 


b7E 


Continuation of FD-302 of | | ,On 06 / O1 / O1 , Page 3 


had completed the report and sent it to the nipc.watch@fbi.gov 
Internet site. 


| __hrovided the interviewing agents with a letter 
which notes the financial loss to the company resulting from the 


web page defacement as bein 145.00. The letter contains a 
breakdown of this figure. meee provided a portion of the 
logs pertaining to the intrusions set forth above. After beginning 
to print the logs, he realized the logs would be voluminous and 
decided to copy the logs onto a floppy disk. [___] providea the 
disk containing the log files. 


b7Cc 


added that his personal computer at home had also 
experienced a similar intrusion. system is an entirely 
different and unrelated system. The intrusion into his personal 
computer occurred on M UL. 2001 at approximately 6:36 A.M. from IP 
address 140.126.139. [7 none IP address . Lae | b6 
oted the same exact method of intrusi i134 b7C 
hone number are 
His work station consists of a desk 
top and a lab top. provided a copy of the logs for the 
intrusion of his personal computer. He indicated that the 
aforementioned disk also contained a copy of these logs as well. 


The following items will be maintained within the Exhibit 
section of the investigative file: 


Diagram of the network system_provided byl 
Copy of the logs provided b 
Floppy disk provided by b6 
Letter containing financia oss provided by b7c 
Copy of the original webpage shown to 

Copy of the Cyber Incident Report shown to 
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The Geektools.com public Internet website was queried to 
determine the registration for Internet Protocol (IP) address 
202.107.11.78. According to the query, the address is registered 
to CHINANET-LN, A12, Xin-Jie-Kou-Wai Street, China. : 


The print-outs containing more detailed information will 
be maintained within the Exhibit Section of the investigative file. 


It should be noted that the aforementioned IP address was 
obtained from[ American 
Hallmark Group, 14651 Dallas Parkway #900, Dallas, Texas, who in 
turn, obtained the address from the business computer logs after 
its web pages were defaced during the month of May 2001. 
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American Pe 
Hallmark Group, 14651 Dallas Parkway #900, Dallas, Texas 75240, ae 
rovided on i e was instructed to do by 


According’ to a note inside the 
case of the CD, the CD contained log files pertaining to a website 
defacement which occurred on May 5 and May 6, 2001, as well as a 
copy of the actual defacement. 


The CD was placed within the (1A) exhibit section of the CO 


investigative file. b6 
b7C 


b3 
- b6 
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Date of transcription 06/07/2001 
American Hallmark 


Group/Hallmark Financial Services, 14651 Dallas Parkwa : 
telephone number 972-934-2400 extension born 
Social Security Account Number was 


advised of the identi the interviewing agents and the purpose 
of the interview. then provided the following information: 


[has been employed the with American Hallmark 


[ _|aescribed the company's network system through 
the use of a diagram she provided. The webserver which was 
victimized on May 5, 2001 and May 6, 2001, uses the Windows NT. 4.0 
operating system with IIS 4.0 software and is labeled on the 
diagram as the NetFinity Server. The server contains client 
information and is utilized by American Hallmark Group employees to 
query their clients' accounts.. Information from the AS400 server 
listed on the diagram is downloaded into the NetFinity server. The 
webpage displayed to the employees does not have a logon banner 
warning unauthorized users not to enter. 


Other servers listed on the lower right-hand side of the 
diagram are the following: 


Serverl- Novell server, contains financial accounting 
Server2- NT server, manages log-ins 

Server3- Novell server, premium finance program 

AS400 - Runs all insurance functions 


PWN 


The network has a firewall installed as part of their 
security. The webserver is under lock and key at all times and 
only a few employees have access to the room where the server is 
stored. The router depicted in the diagram is an Intel Router. SA 

viewed the router and noted model number ER 
9525U.) Although there is no set security/procedural plan, all 
employees access their computers by using passwords. There are 100 
user workstations with a total of 125 workstation capabilities. 


Investigation on 06/06/01 
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rs 


Only one employee has remote access to the network. E-mail for the 
company is handled externally through Ash Web Hosting. 


The following represents the events which occurred 
shortly before, during, and after the webpage defacement: 


On Saturday, May 5, 2001,[_—iarrivea at the office 
and read an e-mail from her supervisor who advised that there had 
been an intrusion into the America Hallmark Group's computer 
system. [sd noticed the company's webpage had been defaced. 

provided the interviewing agents with a copy of the webpage 
defacement which reads as follows: 


"fuck USA Government" 
fuck PoizonBOx 


contact :sysadmen@yahoo.com.cn" 


sa[__] showea[__la copy of the webpage 
of www.hallmarkgrp.com captioned HALLMARK FINANCIAL SERVICES, INC. 

| | confirmed that the webpage represented the company webpage 
which was defaced.) Based on a review of the computer oF aT 
approximated the time of the first intrusion to have occurred at 
4:00 A.M. on May 5, 2001. The defacement occurred once again on 
the following day. advised she does not currently have 
logs for May 6, 2001. provided logs pertaining to May 5, 
2001. an. lenewed a copy of a Cyber Incident Report 
which was sent to nipc.watch@fbi.gov. confirmed she had 
completed the report and sent it to the nipc.watch@fbi.gov Internet 
site. 


believes the intruder entered_the system through 
port 80 which is not blocked by the firewall. has no 
indication that the intruder accessed the information on the 
server. The server contains personal information on the insured 
clients. [jis not sure if any additional damage occurred 
other than the web defacement. 


Based on the review of the logs, the Internet Protocol 
(IP) address which appears suspicious tof _ is 202.107.11.78. 
conducted a trace route on this address through the DOS 
prompt. The results indicated that the IP address is that of 
Chinanet - China Telecom. 


The Windows NT Operating System was upgraded, and 
approximately two weeks ago, patches were installed in the system 
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to avoid the vulnerability identified. The firewalls are being 
monitored to ensure there are no abnormalities. [| does not b6 
know if there were any additional intrusion attempts. b7Cc 


[ ____|provided the interviewing agents with a letter 
which notes the financial loss to the company resulting from the 
web page defacement as eas a eer The letter contains a 


breakdown of this figure. advised she would provide a copy 
of a compact disc (CD) with additional log files at a future date. 


The following items will be watutained within the Exhibit 
section of the investigative file: 


Diagram of the network system provided — b6 
Copy of the web defacement | b7C 
Copy of the logs provided > | 

Letter containing financial foss provided by 

Copy of the original webpage shown to 

Copy of the Cyber Incident Report shown to 
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Approved By: 
Drafted By: 


Case ID #: Pending) 
Title: Hacker/Honker Union of China 
Tllinois Secretary of State-Victim 
Computer Intrusion 
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Synopsis: To set forth partial lead coverage. es 


Enclosure(s): Enclosed for Chicago are the following items: 


The original f an FD-302 reflecting the 
interview of American Halimark Gro 

. One 1-A envelope containing documents provided a 
and the original agent notes. 


Lay The original and one copy of an FD-302 reflecting the receipt 
of a compact disc (CD) containing the logs for the intrusion 


pee American Hallmark Group. 

~ One 1-A envelope containing the CD with the American Hallmark 
logs. 

u5. The original and one copy of an FD-302 reflecting the 


6. One 1-A envelope containing 
listed on #5 above. 
(2. The original an ni of an FD-302 reflecting the 


interview of Richmont. 
gone 1-A envelope containing the original agent notes, one 
al disk with logs, and other pertinent documents provided 
by 


The original and one copy of an FD-302 reflecting the 


L410. One 1-A envelope containing 
listed as #9 above. 
11. The original and one copy of an FD-302 reflecting the 
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| To: Chicago From: Dallas 
bT7E 


wee interview off sd BL gibility Services, Inc. 

Lig. One 1-A envelope with the original _ agent notes as well as 
documents and a CD provided a oC the logs 

(AB. 


and other pertinent data. 
The original and one FD-302 reflecting the 
[* One 1-A envelope containing 

listed as #13 above. 
Details: For the information of Chicago, as set forth on the 
referenced communication, Dallas has received numerous complaints 
regarding Web site defacements which are related to captioned 
matter. Dallas is in the process of interviewing approximately 
17 victims and obtaining the logs and other pertinent data 
regarding the intrusions. The enclosed FD-302s represent some of 
the interviews as well as additional follow-up. Dallas has noted 
that the victims interviewed to date have all experienced similar 
Web page defacements which read, "fuck USA Government fuck 
PoizonBOx contact: sysadmen@yahoo.com.cn ". All victim servers 
were utilizing the Windows Operating System with IIS software. 
The following is a general outline of those entities which have 


experienced this intrusion along with the suspicious IP addresses 
noted by the victims. 
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Entit Contact person Suspect IP Addresses 
BNCItCy Lontact person euspect IP AdOresses 


b6 


American Hallmark Group 202.107.11.78 — 


Richmont 216.221.210.134 
159.121.129.55 
211.101.145.202 
146.155.1.15 


Eligibility Services, 208.177.103.98 

Ine. 211.136.17.141 
202.241.213.160 
133.38.151.20 


Dallas will continue forwarding results of interviews 
as well as logs and other pertinent information as it is 
obtained. 


To: Chi From: Dallas 
res [98/19/2001 
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Set Lead 1: 
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